On September 7th 2021, Microsoft officially announced CVE-2021-40444 on their website, describing it as a vulnerability in MSHTML that allows remote code execution. What has been observed to occur with malware that is weaponising this vulnerability is a Microsoft Office document (.docx, .xlsx or .pptx) will be able to reach out to the Internet, download and execute a .html file that contains malicious ActiveX code within it via the internal browser rendering engine found within Word, Excel and Powerpoint.
If an Office document has been downloaded from the Internet, or sent as an email attachment, it should contain a bit of extra information in its alternate data stream (ADS). This extra bit of information is the Zone.Identifier which will contain the ‘zone’ it was downloaded from. In the case of a downloaded document, it will contain the ‘mark of the web’ (MOTW) , which means that Microsoft Office will open that document in Protected View. Protected View has been confirmed to prevent the automatic execution of this vulnerability. However, much like the default warnings on macro-enabled documents, many users will click the yellow bar at the top to disable Protected View, removing the protections in place and enabling the vulnerability to be exploited.
However, if an Office document is delivered via a .ZIP file, and the Office document is extracted locally onto the disk, the Zone.Identifier may not be there and the exploit will run once the document is opened. The exploit has also been observed to run when a document is previewed in Windows Explorer.
What should I do?
The official advice from Microsoft at this stage is to disable ActiveX controls on endpoints via Group Policy or Registry Editor. There are however reports from security researchers on Twitter that they have modified code to not require new ActiveX controls, which bypasses this workaround.
Microsoft have also suggested disabling preview in Windows Explorer. The full post from Microsoft with instructions on how to complete these tasks can be found here.
Analysing some malware
Malware Bazaar has a handy tag for CVE-2021-40444 that has several samples that can be analysed.
Analysis was undertaken on the sample “A Letter before court 4.docx” (SHA256: 938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52), “side.html” (SHA256: d0fd7acc38b3105facd6995344242f28e45f5384c0fdf2ec93ea24bfbc1dc9e6) and “ministry.cab” (SHA256: 1fb13a158aff3d258b8f62fe211fabeed03f0763b2acadbccad9e8e39969ea00).
We first started by taking a look at the .docx file, the first piece of the chain. On the surface it looks like a regular Microsoft Word document:
A quick look at the Macro menu shows that there aren’t any macros embedded in this document, which are often used for malicious activity.
This is because the command that is used for reaching out and downloading the malicious .html file is embedded within the document.xml.rels file. Modern Office documents can be unzipped to inspect the contents of the file, if we unzip this .docx file and navigate through to \word\_rels\ document.xml.rels we are able to see where mhtml:http is and where the malicious .html file is hosted:
At the time of our analysis, the infrastructure that hosted the malicious files was no longer active, so we opted to host the files locally in our analysis environment to observe the next parts of the attack. After opening the .docx file on our Windows host, we’re able to observe a few noteworthy things:
Winword.exe reaches out and downloads side.html and ministry.cab from our malicious website.
The side.html file contains some (heavily obfuscated) ActiveX code within it that is executed by winword.exe.
Lockedbyte has released some Proof of Concept (PoC) code on their GitHub which includes a deobfuscation python script which you can utilise for tidying up any .html pages containing the ActiveX code found in the wild. Lockedbyte have also included a fully deobfuscated copy of their PoC ActiveX code, which is a lot easier to follow:
For the host telemetry, we’re able to see that winword.exe spawns control.exe, which then spawns rundll32.exe, with some interesting arguments in the command lines as well.
CVE-2021-40444 is still a relatively new vulnerability and as such, robust detection rules are still being researched. When building detections for your environment it is important to consider whether any of these rules may potentially flag regular business usage. There may be other forms of weaponising this attack, and these methods should not be relied on as a sole techniques for detection.
- Check for mhtml:http in Office documents
- Look for winword.exe, excel.exe or powerpnt.exe reaching out to unusual websites
- Look for winword.exe, excel.exe or powerpnt.exe spawning control.exe
- Look for unusual command line arguments